SSH-DAuth: secret sharing based decentralized OAuth using decentralized identifier

OAuth2.0 is a Single Sign-On approach that helps to authorize users to log into multiple applications without re-entering the credentials. Here, the OAuth service provider controls the central repository where data is stored, which may lead to third-party fraud and identity theft. To circumvent this problem, we need a distributed framework to authenticate and authorize the user without third-party involvement. This paper proposes a distributed authentication and authorization framework using a secret-sharing mechanism that comprises a blockchain-based decentralized identifier and a private distributed storage via an interplanetary file system. We implemented our proposed framework in Hyperledger Fabric (permissioned blockchain) and Ethereum TestNet (permissionless blockchain). Our performance analysis indicates that secret sharing-based authentication takes negligible time for generation and a combination of shares for verification. Moreover, security analysis shows that our model is robust, end-to-end secure, and compliant with the Universal Composability Framework.

• To improve user identity management by creating a more secure and reliable authentication and authoriza- tion system that takes advantage of blockchain technology's decentralized, & immutable nature.• To prevent unauthorized access and lessen the danger of data breaches, user identities are distributed and protected utilizing secret sharing.• To establish a system resilient to single points of failure and impervious to censorship and hacking, the work investigates the use of the Interplanetary File System (IPFS).• Traditional authentication techniques can be more prone to new dangers as technology develops.We aim to develop secure and privacy-conscious SSO systems, paving the way for more reliable and user-centric identity management solutions across diverse services.

Our contribution
In this paper, we proposed and implemented a blockchain-enabled distributed authorization scheme designed to perform SSO in the zero-trust environment.We have added a secret-sharing mechanism allowing participants to split the user Decentralized Identifier (DID) into several shares so that each user has a mandatory share of their DID.The DID can only be reconstructed when sufficient shares are combined with a mandatory share for authorization.The following are the main contributions of our framework.
• Using our model, participants can authenticate independently without relying on a Trusted Third Party (TTP).
• We showed that our proposed model is secure based on the universal composability framework and guar- antees fairness by authenticating the users through DID and smart contracts.• To the best of our knowledge, this is the first work proposed on a Distributed Authentication framework based on DID using a secret sharing mechanism.• There are limitations in OAuth2.0, and our framework addresses these limitations by leveraging the latest technologies.Table 1 compares our proposed model with the OAuth2.0framework.

Preliminaries Identity access management
Identification of authorized users who can use the appropriate resources within the organization is made through the Identity Access Management (IAM) system 9 .The three types of access management include Independent Identity Management (IIM), Centralized Identity Management (CIM), and Federated Identity Management (FIM).IIM and FIM model supports multiple IdP's whereas CIM System has only one IdP.SSO approach, which Google and Microsoft widely adopt, falls under the FIM model.Here in our framework, we are following the FIM model.

Authentication schemes
This section reviews various authentication schemes in which the users must prove their identity before accessing data.
Security assertion markup language (SAML) SAML was developed by the OASIS foundation and was released in March 2005.It is an open standard for authorization and authentication, allowing two web entities to exchange data.SAML assertions are used as security tokens for authenticating the users.As this assertion contains security claims about the subject, the validity of these claims should be certified.This validation can be done using Extensible Markup Language (XML) signatures, which should cover the entire SAML assertion.SAML supports XML, HTTP, SOAP, and other protocols that can transfer XML Signatures.The working of SAML is described through the timeline diagram in Fig. 1.The working of the OpenID and OAuth is described through the timeline diagram in Fig. 2. The comparison between SAML, OpenID Connect, and OAuth2.0 has been shown in Table 2.

Self-sovereign identity model
The Self-Sovereign Identity (SSI) model provides a secure digital identity in which the user controls their information 10 .This model provides a trusted relationship between the user and websites to access the protected resources without relying on any central repository.SSI is made of claims, proofs, and assertions, whereby claims are the identities the user creates when registering with the blockchain.Proofs are documents that act as evidence for the claims, and assertions are stored in the user's device that the other parties validate to check whether the claims are valid.

Decentralized identifiers
A Decentralized Identifier (DID) 12 is a globally unique and persistent identifier developed as a standard by the World Wide Web Consortium (W3C) as shown in Fig. 3

Blockchain technology
Blockchain Technology is a decentralized computation and distributed ledger platform that efficiently stores immutable transactions in a verifiable manner through a rational decision-making process among multiple parties in an open and public system 14 .Blockchain allows individuals and companies to instantly store and

Hyperledger fabric
Hyperledger Fabric 22 is an open-source blockchain framework developed under the Hyperledger project.It offers a modular architecture that enables organizations to create permissioned blockchain networks and decentralized apps.Fabric supports programmable logic called chaincode, private channels, and pluggable consensus algorithms.Chaincode 23 is the business logic deployed on the network to enable users to interact with the blockchain and perform various actions, like reading or modifying the ledger or invoking transactions.Chaincode runs in a secured docker container isolated from the endorsing peer process.Chaincode initializes and manages the ledger state through transactions submitted by applications.Chaincode is written in Go, node.js, or Java that implements a prescribed interface.

IPFS
Interplanetary File System (IPFS) 24 is a peer-to-peer network system for storing and accessing data.As a contentaddressed protocol, IPFS splits each file into smaller chunks that are hashed cryptographically and are given a unique fingerprint called a Content Identifier (CID).

Related works
Many researchers have introduced frameworks for implementing secure authentication.For instance, Teja 25 implemented a safe authentication system for preventing phishing attacks by using secret sharing and QR code scanning.This mechanism works on a dedicated mobile application, which eliminates the process of logging in via user credentials.According to this system, when the user scans the QR code, the mobile application generates the code to an authentication server.The server validates the code using Lagrange's polynomial and gives access to the user's protected resources.
Seong-ho Hong 26 proposed a new SSI-based OAuth model named Vault-point, which provides decentralization and integrity to the user.Vault-point uses the Ethereum platform and consists of three types of smart contracts, namely-Identification contract, Notification contract, and Client management contract.The Identification contract stores the information related to the user, who can edit, delete, and update his identity.The Notification contract delivers the client's authorization request to the corresponding user's device.In the Client management contract, the client's (service provider) information will be stored and executed when the user wants to connect to the service provider.
Nikos Fotiou proposed a token-based OAuth2.0 using distributed ledger 27 .In this token system, the resource server grants permission to the protected user data by validating the ERC-721 token corresponding to the JSON Web Tokens (JWT) received from the client.Anjum 28 developed a distributed framework for storing patients' medical records (PMR) based on the Ethereum blockchain.The ERC-721 standard tokenizes these records, which are then stored in the privately distributed storage known as IPFS.Furthermore, to provide complete control over the medical records of the patients, the proposed framework incorporates a Non-Linear Secret Sharing (NLSS) scheme of (1, t, n).
Soumyashree 29 designed a blockchain-based distributed IoT architecture for secure authentication and key management.This method specializes in achieving authentication using a one-way hash chain technique, in which cryptographic hash values are generated from a single key that is impossible to revert.This framework includes three layers, namely, device, fog, and cloud layers.The access managing nodes (AMNs) displayed in the fog layer oversee the devices present within the device layer.These AMNs are gathered to create a blockchain network that generates, distributes, and manages the secret keys.The entire transactions are validated and processed by the AMNs between the layers.
Hadjer Benhadj 30 introduced a lightweight blockchain-based verification mechanism to eliminate the single point failure and reduce the communication overhead and validation from the centralized Public-key Infrastructure (PKI).The strategy addresses these issues by including decentralized blockchain validators' admission/ revocation details.As a result, no IoT device should add its certificate to each message, as the blockchain network will validate its entry.
Shibasis Patel 31 proposed an authentication service based on the Ethereum blockchain called DAuth, in which the user's session will be activated by validating the signatures.Initially, the backend requests the signature www.nature.com/scientificreports/generated by the user's message encrypted with their AuthKey and signed using the metamask plugin.After receiving the request, the backend validates the received signature.Schiffman 32 developed a DAuth authorization mechanism that permits users to access the services from distributed web applications in a specific and flexible manner.According to this system, DAuth oversees assigning and revoking protected resources by giving a policy-defined set of rules that eliminate the dependency on a centralized system.
Abbas 33 reported an effective decentralized authentication system using blockchain to reduce the overhead communication latency of patient healthcare records in interconnected healthcare systems.This decentralized blockchain network helps to migrate patients and staff from one hospital to another without re-authentication.According to this system, when a patient submits a transaction in the hospital, the nursing station acts as a validator in an affiliated hospital, performs preliminary checks, such as signature verification and sufficient balances, and executes the transaction.After a successful transaction, the nursing station adds it to the ledger.Suresh Babu 34 proposed a distributed identity-based authentication scheme to provide trust within the resource-constrained IoT devices by delivering data protection and access control during unsecured communication.This model solves the single-point failure of public-key infrastructure (PKI) and private key generator (PKG) along with its key escrow problem.
Nagendra Kumar Nainar 35 introduced a distributed authentication and validation system for user information, including data related to public keys within the blockchain.In this process, an electronic device produces a chunk of data, attaches the signature to the chunk of data, and transmits this chunk to one or more client devices in response to individual requests or the network address specified within the request.These signatures are produced by employing a private key of the electronic device.The electronic device stores the data, including details of a public key related to the private key, in a first ledger entry of a blockchain.
Balaji Balaraman 36 presented the idea of a single sign-on solution using blockchain.In this case, suppose a system receives a registration request from the service provider, then the system conjures the smart contract to approve whether the credentials match a stored credential in the blockchain.Based on the login credential, the system creates a single sign-on token in response to the matching stored credential.The system transmits the single sign-on token to the client's device and grants access to the system within the peer-to-peer network.
Vinit Kumar 37 has proposed a Decentralized Open Authorization Framework in which the authorization server is split into two servers.Each server receives unique credentials and creates a unique access token.The individual access tokens are verified and combined into one token at the resource server.The resource server validates it, and grants access to the protected resources.
Padma 38 has presented an authentication and authorization D-Auth mechanism for accessing serverless cloud applications by providing server-based OTP and token authentication.This mechanism uses a token Introspector to authorize users to request access services present in the serverless cloud.

Our proposed scheme
Table 4 summarizes the notations used in this paper.As shown in Fig. 4, there are two main modules in our scheme.The first one is Identity Creation and Registration Phase and the second one is Identity Authentication Phase.

Protocol design
Let us assume that user U wants to login to a service provide S p using the blockchain system [Ethereum ( IdP Eth ) or Hyperledger Fabric ( IdP HLF )].There are two key phases in performing this.

Identity creation and registration phase
Initially, a valid identity is created for the user that complies with W3C DID standards.Then comes the user registration phase.The details are elaborated as follows.
1. U submits the details ( Name||Email_ID||SSN||Blood_Group||Birth_Date||Phone_Number ) to the W App for creation of the DID that complies with W3C DID standards.2. The DID is then passed to a (1,3,4) scheme SSH generate to generate four shares ( DID MS , DID S2 , DID S3 , DID S4 ) as per Algorithm 1, out of which the first share is mandatory to regenerate the DID. 3. The DID MS is the important share that could reveal the DID on combining this with two of the remaining three shares.This should be kept private and secure by the U.  www.nature.com/scientificreports/

Identity authentication phase
In this phase, the User U shall use the Decentralized Identity (DID) to perform single sign-on to the Service Provider ( S p ).
1. U visits the S p 's W App and sign-in either using IdP Eth or IdP HLF and provides the DID.
2. The W App calculates the Hash(DID) and sent to the S p . 3. S p now verifies the Hash(DID) from the Blockchain to confirm the existence of the valid user.4. If the provided DID belongs to the valid U, then ( Hash(DID)||OneOf (IPFS Hash (DID S2 ), IPFS Hash (DID S3 ), IPFS Hash (DID S4 ))) is provided by the Blcockchain to the S p . 5. S p now uses OneOf (IPFS Hash (DID S2 ), IPFS Hash (DID S3 ), IPFS Hash (DID S4 )) to fetch one of the shares from the IPFS.6. S p request for verification from U by providing (Hash(DID)||OneOf (DID S2 , DID S3 , DID S4 )). 7. U now uses the DID MS similar to a private key or password to authenticate and submit the same.The W App calculates the Hash(DID MS ) to verify it from the Blockchain.8.If the hash is found matching, then the W App fetches one other share from IPFS and performs a combina- tion operation, SSH Combine (DID MS , OneOf (DID S2 , DID S3 , DID S4 ), Other(DID S2 , DID S3 , DID S4 )) to reveal the DID as given in Algorithm 2. 9.The U now shares the (Hash Calculated (DID)||Hash(DID MS )) to the S p .10. S p now verifies the Hash(DID MS ) from the Blockchain and verifies Hash Calculated (DID) by U is same as Hash(DID) it got initially, thus successfully verifying the U. 11.The S p will now generate a random nonce ( ω ) and send (ω||OneOf (IPFS Hash (DID S2 ), IPFS Hash (DID S3 ), IPFS Hash (DID S4 )) to the U. 12.The U now uses OneOf (IPFS Hash (DID S2 ), IPFS Hash (DID S3 ), IPFS Hash (DID S4 )) , to fetch one of the shares from the IPFS as given by S p , and Hash(ω + OneOf (Share)) is computed.This computed hash value ( Hash Nonce+Share ) is returned to the S p .13. S p now verifies ( Hash Nonce+Share ), thus providing multifactor verification.
In the Identity Creation and Registration Phase, we uses smart contract (resp.chaincode) to store the hashes of the shares to the Ethereum (resp.Hyperledger Fabric) Blockchain.In the Identity Authentication Phase, the Web Application retrieves the shares from the Blockchain using the smart contract or chaincode.The share generation and secret reconstruction (i.e., Algorithm 1 and 2) are offchain computations.In our proposed model, we have used the Solidity programming to write the smart contract and deploy the application in Ethereum Ropsten Test Network Permissionless Blockchain.We have deployed the chaincode written in Go Language for Hyperledger Fabric Permissioned Blockchain.Web3.js was used to interface the User Interface with the Blockchain smart contracts.

Key algorithm: secret sharing scheme
A Secret Sharing Scheme (SSS) is a cryptographic method for breaking a secret into multiple shares and distributing it among the participants.The dealer distributes the secret to the n participants as shares; when the required condition is fulfilled (a group of t participants which is a set in the qualified set -Ŵ Qual joined), the secret can be reconstructed from the shares.This system is called (t, n)-secret sharing scheme.Here 39 , the least number of shares t, called a threshold, should be required to reconstruct the secret.An Adversary who discovers shares less than the threshold will not be able to get the secured secret.Blakley 40 utilized a geometric approach to share the secret among the participants.According to this method, the secret key is the point in the t-dimensional space at which all the hyperplanes will intersect.Secret sharing schemes are beneficial for storing highly sensitive data, encryption keys, and missile launch codes.By distributing the data, among the participants, every individual has command and control over the data, thus minimizing the loss of data due to a single point of failure.
We use an ideal (1, t, n)-SSS to implement our framework.Let the set of participants is denoted as P = { p 1 , p 2 , p 3 , . . ., p n }.A SSS with minimal qualified set Ŵ QM = {A ∈ Ŵ Qual : p 1 ∈ A and |A|=t} with p 1 as the essential participant is called (1, t, n)-SSS.Arumugam et al. 41 in 2014 proposed the strong access structure-based (1, t, n)-SSS, which is a special case of Ateniese et al. 42 construction.For reconstructing the exact secret without any change, Cimato et al. 43 in 2004, developed an ideal SSS using both OR and NOT as reconstruction operations.In this paper, we used the ideal (1, t, n)-SSS constructions 44  www.nature.com/scientificreports/The following shows an example of (1, 3, 4)-SSS for sharing 0 and 1 bit.Let P = {p 1 , p 2 , p 3 , p 4 } be the set of participants.The basis matrices T 0 (resp.T 1 ) used for sharing bit 0 (resp. 1)are given as Let the data (eg: DID) which we are going to share is represented as a matrix DID = 1 0 0 1 .
DID MS , i.e mandatory shares DID S4 , i.e shares CSh (4,1) = 0 0 0 0 , The below-given procedure as per Algorithm 2 is used to reconstruct DID.Let us denote as Boolean OR operation and as Boolean AND operation.According to SSS, participants in any one of the qualified sets of Ŵ QM can reconstruct a secret.So here in this example, the qualified set we selected is {p 1 , p 2 , p 3 } in the Ŵ QM .So reconstruction of DID using the shares of the participants p 1 , p 2 and p 3 is given as follows.First, generate all j using bit -by-bit XOR of participants shares, i.e www.nature.com/scientificreports/ . Now the DID is obtained by applying bit-by-bit AND operation of all j , i.e DID = 6 j=1 j = 1 0 0 1 .

Security considerations
Informal security analysis 1. Decentralization and Immutable Ledger: Using a blockchain system introduces decentralization and an immutable ledger, which can enhance security.Since the user identity information is distributed across the blockchain network, it becomes more resilient against single points of failure and tampering.2. Privacy and Confidentiality: The secret sharing scheme, where the user's identity is split into multiple shares stored in IPFS, can improve privacy and confidentiality.It ensures that no single entity holds complete information about the user's identity, reducing the risk of data breaches.Also, our assumption is all communications in our protocol are encrypted.3. Data Integrity: The immutability of the blockchain ensures that once the user identity is recorded, it cannot be altered or deleted without consensus from the network.This prevents unauthorized changes to user data, enhancing data integrity.4. Secure Hashing: Cryptographic hashing for storing and verifying user information adds an extra layer of security.Hashing ensures that sensitive information, like the user's DID and shares, is not stored in plaintext, making it difficult for attackers to retrieve the original data. 5. Authentication Strength: The combination of the secret sharing scheme and blockchain-based verification for authentication may provide robust security, especially if the secret shares are generated and stored securely.

Universal composability security framework
In this section, we shall analyze the security of the proposed solution under the universal composability security framework.The basic objective of the Universal Composability (UC) framework is to guarantee that any key exchange protocol provides the same security as any other protocol which wants to set up session keys between two parties, even when it runs in parallel with an arbitrary set of other protocols in a distributed communication network.Here we use UC Framework to authenticate the Decentralized Identifier, and assumption is that all communication in our protocol is encrypted.UC framework follows the approach of "security by emulation of an ideal process." 45,46 That means a real protocol π r realizes the task T, if there is an adversary A attacks π r , there also exists a simulator S A that can do an Adversary Simulation by interacting with Ideal Process F .Also, proof of indistinguishability means that no environment ( Z ) can conclude with a non-negligible probability of success whether it is interacting with π r and A or with F and S A for T. In our protocol, the task T is the SSO-based authentication of the Decentralized Identifier.The Ideal Processes in our scheme are Secret Sharing or Secret Reconstruction ( F SS ), W App Operations ( F WApp ), IPFS Operations ( F IPFS )and Blockchain Operations(F BO ).

Analysis of proposed scheme
Our assumption is all communication is encrypted and transferred via the Internet (HTTPS).Let us assume that user U wants to login to a service provide S p using the blockchain system IdP[Ethereum ( IdP Eth ) or Hyperledger Fabric ( IdP HLF )].There are two key phases in performing this.

Identity creation phase
The user must create a valid identity using the selected blockchain system's supported wallet or Certificate Authority (CA).
1. U submits the details CT=(Name||Email_ID||SSN||Blood_Group||Birth_Date||Phone_Number ) to the IdP through the W App for creation of the U I (DID) that complies with W3C DID standards.In UC this commu- nication is represented as • U sends (Register, reg, CT, U, W App ) to W App , where reg is the registration tag and S A . S A now sends (ask, reg, CT, U, W App ) to W App .• W App sends (GenerateDID, reg, DID, W App , U) to F WApp .F WApp generate DID then transfer (res, reg, DID, W App , U) to U and S A .S A now sends (res, reg, DID, W App , U) to U. • W App sends (Submit, reg, CT, W App , IdP) to F BO and S A .
2. The DID is then passed to a SSH(1, 3, 4) generate to generate four shares ( DID MS , DID S2 , DID S3 , DID S4 ) , out of which DID MS is mandatory to regenerate the DID and this should be kept private and secure by the U.The three shares DID S2 , DID S3 , DID S4 are stored in the IPFS by U. Shares can now be accessed with their hash values IPFS Hash (DID S2 ), IPFS Hash (DID S3 ), IPFS Hash (DID S4 ) .In UC this communication is represented as • After receiving (res, reg, DID, W App , U), U sends (SecretShare, reg, DID, U) to F SS .F SS create shares and writes down (store, DID MS , U).
-6 ms; uploading a share to IPFS is ≈ 25-28 ms, and the average time to add this identity information to the blockchain can be considered as δ .Therefore the average time for identity generation and storing the identity in the blockchain takes ≈ 30-36ms + δs , where delta is the time required to store the transaction in the blockchain.Similarly, for the authentication, the average time for share combination is ≈ 1.6ms as shown in Fig. 5.

Discussion
This section discusses the limitations of the previous works and how our solution surpasses these challenges as shown in Table 5.We also discuss the limitations of our work.Soumyashree 29 have implemented the authentication mechanism using permissionless blockchain only.In our paper, we implemented the scheme for the permissioned and permissionless blockchains.This dual implementation, along with the Secret Sharing mechanism, has resulted in improving security.Hadjer Benhadj 30 framework involves using keys for authentication, which requires more computational power.On the other hand, we are using a secret sharing mechanism where users can authenticate independently without using any trusted third party.The issue with Schiffman 32 framework is that the DAuth works on policy-defined rules that are not universally compatible with most IdPs.In our framework, there is no inclusion of rules; hence, it has the flexibility to work with any IdP.In the case of decentralized frameworks presented by Kumar V. 37 and Padma P. 38 the authorization is done based on two third-party servers and enterprise private cloud respectively.In contrast, our framework stores uses the blockchain network which will be more trustworthy.

Table 1 .
Comparison of OAuth2.0 with SSH-DAuth.OpenID connect and OAuth OpenIDConnect is an open authentication standard that adds a fundamental identity layer to OAuth.It allows clients to verify the end-user's identity via authentication performed by an authorization server.OAuth, an authorization standard developed by Twitter and Google, gives brief assets for legitimate clients to get to thirdparty applications.In expansion, it gives clients designated security to server assets on behalf of an asset owner.
Figure 1.Timeline diagram of SAML.Figure 2. Timeline diagram of OpenID Connect and OAuth.Vol:.(1234567890)ScientificReports | (2023) 13:18335 | https://doi.org/10.1038/s41598-023-44586-6www.nature.com/scientificreports/ that offers verifiable and decentralized digital identity.DIDs are essential components of SSI, created and controlled by individual users.A DID maps to a DID document that contains a series of claims about the user's identity.It is communicated as the linchpin of SSI and employs blockchain or another Distributed Ledger Technology (DLT) to secure privacy and security concerns.It provides faster verification, privacy protection, and selective disclosure of information through the Zero-Knowledge Protocol (ZKP).Each DID has its method, as shown in Table3

Table 3 .
16,ive DID Method Specifications.safelyexchangedataand value.Information in Blockchain is transferred peer-to-peer without any middlemen or intermediaries.Users have access to see every transaction made on a permissionless blockchain, which is open and transparent.On the other hand, access and visibility are controlled by a permissioned blockchain.Bitcoin, the world's first cryptocurrency, is an example of a permissionless blockchain employing the Proof of Work (PoW) consensus algorithm.Ripple is a permissioned blockchain network that uses the ledger consensus protocol to verify each transaction.ledgertechnologywhen predetermined conditions are met16, 17.Smart contracts in Ethereum are written in Solidity language.Various Ethereum Request for Comments (ERC) standards are available to handle Distributed Identity, which include but are not limited to ERC-1056: Ethereum Lightweight Identity 18 , ERC-1207: DAuth Access Delegation Standard 19 , ERC-1484: Digital Identity Aggregator 20 , and ERC-4361: Sign-In with Ethereum 21 .

Table 4 .
Summary of Notations.